Skip to content

Commit c62ad60

Browse files
committed
up
1 parent 187d69a commit c62ad60

5 files changed

Lines changed: 140 additions & 25 deletions

File tree

README.md

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,102 @@ kubectl create secret generic 1passwordconnect \
194194
- **SOPS**: Used for encrypting Talos secrets
195195
- **No plaintext secrets in Git**
196196

197+
## 🗄️ MinIO S3 Backup Configuration
198+
199+
This cluster uses **TrueNAS Scale MinIO** for S3-compatible storage backups, particularly for Longhorn persistent volume backups.
200+
201+
### MinIO Setup on TrueNAS Scale
202+
203+
1. **Install MinIO App** in TrueNAS Scale Apps
204+
2. **Access MinIO Console** at `http://192.168.10.133:9002`
205+
3. **Configure via MinIO Client (mc)**:
206+
207+
```bash
208+
# Access MinIO container shell in TrueNAS
209+
sudo docker exec -it <minio_container_name> /bin/sh
210+
211+
# Set up MinIO client alias (use your MinIO root credentials)
212+
mc alias set local http://localhost:9000 minio <your-root-password>
213+
214+
# Verify connection
215+
mc admin info local
216+
217+
# Create dedicated user for Longhorn backups
218+
mc admin user add local longhorn-user SecurePassword123!
219+
220+
# Create service account for the user (generates access keys)
221+
mc admin user svcacct add local longhorn-user --name "longhorn-backup-access"
222+
# Output: Access Key: ABC123XYZ789EXAMPLE0
223+
# Output: Secret Key: ExampleSecretKey123+RandomChars/ForDocumentation
224+
225+
# Create backup bucket
226+
mc mb local/longhorn-backups
227+
228+
# Create IAM policy for Longhorn bucket access
229+
cat > /tmp/longhorn-policy.json << 'EOF'
230+
{
231+
"Version": "2012-10-17",
232+
"Statement": [
233+
{
234+
"Effect": "Allow",
235+
"Action": [
236+
"s3:GetBucketLocation",
237+
"s3:ListBucket",
238+
"s3:ListBucketMultipartUploads"
239+
],
240+
"Resource": "arn:aws:s3:::longhorn-backups"
241+
},
242+
{
243+
"Effect": "Allow",
244+
"Action": [
245+
"s3:GetObject",
246+
"s3:PutObject",
247+
"s3:DeleteObject",
248+
"s3:AbortMultipartUpload",
249+
"s3:ListMultipartUploadParts"
250+
],
251+
"Resource": "arn:aws:s3:::longhorn-backups/*"
252+
}
253+
]
254+
}
255+
EOF
256+
257+
# Apply the policy
258+
mc admin policy create local longhorn-backup-policy /tmp/longhorn-policy.json
259+
mc admin policy attach local longhorn-backup-policy --user longhorn-user
260+
261+
# Verify setup
262+
mc ls local/longhorn-backups
263+
```
264+
265+
### 1Password Secret Management
266+
267+
Store MinIO credentials securely in 1Password:
268+
269+
1. **Create 1Password item** named `minio`
270+
2. **Add fields**:
271+
- `minio_access_key`: `ABC123XYZ789EXAMPLE0`
272+
- `minio_secret_key`: `ExampleSecretKey123+RandomChars/ForDocumentation`
273+
- `minio_endpoint`: `http://192.168.10.133:9000`
274+
275+
### Longhorn S3 Backup Configuration
276+
277+
The cluster automatically configures Longhorn to use MinIO via:
278+
279+
- **External Secret**: `infrastructure/storage/longhorn/externalsecret.yaml`
280+
- **Backup Settings**: `infrastructure/storage/longhorn/backup-settings.yaml`
281+
- **Backup Target**: `s3://longhorn-backups@us-east-1/`
282+
283+
### Backup Schedule
284+
285+
Automated backups are configured with different tiers:
286+
287+
| Data Tier | Snapshot Frequency | Backup Frequency | Retention |
288+
|-----------|-------------------|------------------|-----------|
289+
| **Critical** | Hourly | Daily (2 AM) | 30 days |
290+
| **Important** | Every 4 hours | Daily (3 AM) | 14 days |
291+
| **Standard** | Daily | Weekly | 4 weeks |
292+
197293
## 🔍 Verification
198294
```bash
199295
# Check Talos node health
@@ -215,6 +311,14 @@ kubectl get applications -n argocd -l type=application
215311
# Check secrets
216312
kubectl get pods -n 1passwordconnect
217313
kubectl get externalsecret -A
314+
315+
# Verify Longhorn backup configuration
316+
kubectl get backuptarget -n longhorn-system
317+
kubectl get secret longhorn-backup-credentials -n longhorn-system
318+
319+
# Test MinIO connectivity from cluster
320+
kubectl run -it --rm debug --image=minio/mc --restart=Never -- \
321+
mc alias set test http://192.168.10.133:9000 <access-key> <secret-key>
218322
```
219323

220324
## 📋 Documentation

README2.md

Lines changed: 0 additions & 6 deletions
This file was deleted.

infrastructure/storage/longhorn/backup-settings.yaml

Lines changed: 9 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,33 +4,23 @@ metadata:
44
name: longhorn-backup-config
55
namespace: longhorn-system
66
data:
7-
# TrueNAS Scale NFS backup configuration
8-
backup-target: "nfs://192.168.10.133:/mnt/BigTank/k8s/longhornbackup"
9-
# Alternative S3-compatible backup (if TrueNAS has MinIO)
10-
# backup-target: "s3://longhorn-backups@us-east-1/"
11-
---
12-
apiVersion: v1
13-
kind: Secret
14-
metadata:
15-
name: longhorn-backup-credentials
16-
namespace: longhorn-system
17-
type: Opaque
18-
data:
7+
# S3-compatible MinIO backup configuration
8+
backup-target: "s3://longhorn-backups@us-east-1/"
9+
# Previous NFS configuration (commented out)
10+
# backup-target: "nfs://192.168.10.133:/mnt/BigTank/k8s/longhornbackup"
1911

20-
# For NFS, these might not be needed, but for S3-compatible:
21-
# AWS_ACCESS_KEY_ID: <base64-encoded-access-key>
22-
# AWS_SECRET_ACCESS_KEY: <base64-encoded-secret-key>
23-
# AWS_ENDPOINTS: <base64-encoded-truenas-s3-endpoint>
12+
# Note: longhorn-backup-credentials Secret is now managed by External Secrets
13+
# See: infrastructure/storage/longhorn/externalsecret.yaml
2414
---
25-
# Longhorn BackupTarget for NFS backup configuration
15+
# Longhorn BackupTarget for S3/MinIO backup configuration
2616
apiVersion: longhorn.io/v1beta2
2717
kind: BackupTarget
2818
metadata:
2919
name: default
3020
namespace: longhorn-system
3121
spec:
32-
backupTargetURL: "nfs://192.168.10.133:/mnt/BigTank/k8s/longhornbackup?nfsvers=3"
33-
credentialSecret: ""
22+
backupTargetURL: "s3://longhorn-backups@us-east-1/"
23+
credentialSecret: "longhorn-backup-credentials"
3424
pollInterval: "300s"
3525
---
3626
# Enable automatic snapshot cleanup during filesystem trim
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: external-secrets.io/v1
2+
kind: ExternalSecret
3+
metadata:
4+
name: longhorn-backup-credentials
5+
namespace: longhorn-system
6+
spec:
7+
refreshInterval: "1h"
8+
secretStoreRef:
9+
kind: ClusterSecretStore
10+
name: 1password
11+
target:
12+
name: longhorn-backup-credentials
13+
creationPolicy: Owner
14+
data:
15+
- secretKey: AWS_ACCESS_KEY_ID
16+
remoteRef:
17+
key: minio
18+
property: minio_access_key
19+
- secretKey: AWS_SECRET_ACCESS_KEY
20+
remoteRef:
21+
key: minio
22+
property: minio_secret_key
23+
- secretKey: AWS_ENDPOINTS
24+
remoteRef:
25+
key: minio
26+
property: minio_endpoint

infrastructure/storage/longhorn/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ resources:
66
- httproute.yaml
77
- backup-settings.yaml
88
- recurring-jobs.yaml
9+
- externalsecret.yaml
910
helmCharts:
1011
- name: longhorn
1112
repo: https://charts.longhorn.io

0 commit comments

Comments
 (0)